Date: Mon, 29 Mar 2004 22:56:49 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: FreeBSD Security <security@FreeBSD.org> Subject: Re: cvs commit: ports/multimedia/xine Makefile Message-ID: <20040330045649.GE5998@madman.celabo.org> In-Reply-To: <4068B425.1070607@fillmore-labs.com> References: <200403282344.i2SNi6Hq047722@repoman.freebsd.org> <20040329163309.GA81526@madman.celabo.org> <40686785.7020002@fillmore-labs.com> <20040329185347.GB87233@madman.celabo.org> <40687E18.9060907@fillmore-labs.com> <20040329201926.GA88529@madman.celabo.org> <40689343.4080602@fillmore-labs.com> <20040329224011.GA94303@madman.celabo.org> <4068B425.1070607@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 30, 2004 at 01:41:25AM +0200, Oliver Eikemeier wrote: > Hooks would be nice, but I guess we should have something in the base, > or at least let sysinstall install it by default before adding other > packages. *nod* Hooks fulfill the role either way, but have the advantage of allowing alternatives. > >Personally, I was quite pleased with the way that you have it set up: > >if users install portaudit, then they will be warned daily about ports > >that they have installed; and attempting to build the port results in > >much the same thing as FORBIDDEN. > > > >(I guess I could have some misunderstanding, though.) > > No, that is precisely the idea: marking a port in portaudit results in > much the same thing as FORBIDDEN, so the criteria to add a package to > the portaudit database is excatly the same as marking a port as > FORBIDDEN because of security reasons. That doesn't logically follow. The criteria for marking a port FORBIDDEN is (currently) quite different than the criteria for entering an issue into the FreeBSD VuXML document. I didn't in particular create VuXML to replace FORBIDDEN--- although I don't object if that is what folks want. > >Without portaudit, we have the current situation. The only ports > >marked FORBIDDEN are those where someone believed that problems are > >serious enough to mark it so. > > This should be the same with portaudit, even on past revisions of the > ports: The only port added in the portaudit database should be those > where someone believed that problems are serious enough to mark it so. > > To cite portaudit(1): > > "If you have a vulnerable package installed, you are advised to update or > deinstall it immediately." OK, I think I understand your viewpoint. I believe you are asking for some connection to be made between VuXML and FORBIDDEN. But portaudit doesn't *in fact* have anything to do with that policy. portaudit is *in fact* a tool for implementing an alternate policy. In other words, you can't equate portaudit's policy with the FreeBSD Ports Collection's FORBIDDEN policy. That's begging the question. > >I often mail folks when I enter their port into VuXML. I intend to > >automate this nagging, but just haven't gotten around to it yet. > > What is the point in not marking those port as FORBIDDEN? It is easy to > remove (so you don't romp over port maintainers, like just committing the > fix, which might be done differently), gives maintainers time to analyze > the issue without piecing together a quick fix and prevents the vulnerable > version from being installed. In my eyes this benefits maintainers (who have > to fix these issues anyways, but have more room to do so) as well as users > (which normally do not want to use vulnerable ports, especially since > exploits get more popular every day), or do I make a mistake here? What are the advantages of this approach versus automated nagging, and prudently applying FORBIDDEN? I've already stated what I think the disadvantages are. But, of course I'm ready to hear more. [...] > >I'd like to take a step before committing myself (and any would-be > >VuXML contributor) into assigning a severity to every issue. If > >there is rough consensus from the ports community (committers and > >maintainers) that any documented security issue is grounds enough to > >mark a port FORBIDDEN, then we'll follow the policy that (entry in > >VuXML document) == (port must be marked FORBIDDEN). > > > >This seems to be your stance, and I do not think it is unreasonable. > >Although I made the comment earlier that I don't share the opinion, it > >is nonetheless attractive because it is simple :-) > > I can live with both. Either VuXML contains only entries that are so > serious that a port should be marked FORBIDDEN, or it contains additional > entries that are not of this importance and are marked as such. I guess we are at contrapoint. I specifically do not wish to constrain VuXML entries to only those which are ``serious'' (by some widely-accepted definition of `serious'). And I specifically want to avoid assigning severity to entries. See my other recent posting for reasons why. > The decision how severe an issue is has already be made with every commit > to the VuXML document (by marking the affected ports as FORBIDDEN or not), > it is only not documented. This is just a question of a clearly stated > policy, not about assigning a severity - that is already done. Well, you do have a point. So, I'm happy with this approach, but also willing to be convinced that other approaches are better. :-) Just in case I haven't stated it enough times yet to be clear, I'll do it once more: If the community wants all ports that become listed in the VuXML document to be marked FORBIDDEN--- well, we can arrange that. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040330045649.GE5998>